Compliance and information security risk mitigation are a 24/7/365 business. Studies by PriceWaterhouse Cooper indicate that security incidents experienced an incredible 66% compounded annual growth rate (CAGR) in 2015. Organizations who develop a comprehensive approach to information security can not only significantly reduce their risks but may also reduce the costs of breaches that occur.
File integrity monitoring software is a critical tool for protection against modern risks, which include sophisticated cyber criminals who gain undetected access to business networks for long periods of time. Malware has become increasingly difficult to detect with anti-malware controls, and a lack of adequate file integrity monitoring can allow criminals to collect data over a long period of time.
In this blog, you'll learn about two common forms of file integrity monitoring—agentless and agent-based software solutions. We'll share some details about the pros and cons of each, so you can determine which type best fits your compliance and risk mitigation needs.
What's the Difference Between Agent vs. Agentless File Integrity Monitoring?
The term "agent" refers to the presence or non-presence of the integrity monitoring application on each device. Agentless software lives on a gateway server to capture changes remotely. In contrast, agent-based software has the ability to capture all user activities regardless of how they are connected to the network infrastructure.
The primary security difference between these two types of file integrity monitoring software is how often files are "polled," or scanned for changes:
- Agent-based file integrity monitoring has the ability to detect changes in real-time and provide admins with complete details on changes.
- Agentless monitoring polls files at a certain time interval to determine whether changes have occurred or not.
While some agentless solutions allow administrative users to designate the period between file scans, others do not.
Pros & Cons of Agent-Based File Integrity Monitoring Software
- Increased security due to detailed reporting and the ability to detect risks in real-time.
- Captures, records, and logs all changes in real-time.
- Captures all network-connected devices, including remotely connected devices.
- Can provide a comprehensive assessment of processes, operating systems, hardware, files, and connected devices.
- Allows administrators to perform immediate risk mitigation actions such as kill session activity when necessary.
- Can cache and delay transmission of activity on mobile and laptop devices when user connectivity to VPN or network is disrupted.
- Requires installation on all monitored devices and network elements, which can vary in difficulty according to the agent-based software vendor.
- Some RAM and CPU processing requirements.
- Can involve lower ongoing maintenance and a steeper learning curve than agentless options, depending on the vendor.
Pros & Cons of Agentless File Integrity Monitoring Software
- Does not introduce additional RAM or CPU requirements.
- May have lower installation requirements and resource requirements, depending on the vendor.
- Can be easier to implement and maintain than agent-based options, depending on the vendor.
- May require fewer human and fiscal resources to purchase and implement.
- Does not facilitate the real-time identification of risks, which could cause security breaches to go undetected for long periods of time.
- Some software and vendors do not allow organizations to adjust or modify the frequency of file integrity scans.
- If the scans do not occur on at least a weekly basis, you may not achieve PCI compliance.
- Does not capture local user activity, local processes, and other details.
- May not be able to meaningfully monitor custom applications and encrypted traffic.
- Requires extensive knowledge of network routing and some custom configuration to capture sufficient traffic analysis between monitored devices.
Is Agent-Based or Agentless FIM Software the Best?
Choosing between these two options requires organizations to understand the contemporary threats landscape, and how their networks introduce or eliminate vulnerabilities. Based on this assessment, you can identify the option that provides an acceptable threshold of protection. The following factors may be important to take into consideration:
1. Are You Virtual?
Agentless solutions are often less-effective for organizations with a high percentage of virtual servers due to the fact that this solution remotely captures changes. If your infrastructure is highly virtualized, it may be more effective to monitor all connected devices with an agent-based option.
2. Do You Prefer Exceeding Regulatory Requirements?
While PCI-DSS standards represent security best practices, you should assess your tolerance for risk. PCI-compliant agentless security software can allow an entire week between scans, which could allow data-collection malware to exist on your network for that entire length of time. In some organizations, meeting regulatory requirements does not equate to sufficient protection.
3. Can You Provide External Privileged Access?
Agentless software requires organizations to provide external access to critical systems. This may be forbidden by policy, or require extensive custom configuration.
4. What Kind of Functionality Do You Need?
Not all changes to critical files are negative. Some changes are positive, others are necessary, while others can indicate a breach of security or policy. Sorting through a list of changes to identify the ones which require remediation can be time-consuming.
Assess whether you prefer prioritized changes, based on the assessed risk, which can be more common with agent-based solutions
5. Are You in Severe Need of IT Resources?
If your organization has poor executive buy-in to information security and compliance, agentless software could offer some key advantages. Typically, fewer resources are needed for installation and maintenance due to design. While your IT staff may prefer the idea of agent-based integrity monitoring solutions, agentless options could be a far better fit for your budget and allocated resources.
6. Are You Trying to Grow Information Security?
Agent-based solutions can grow with your information security program. For companies that are looking to become more involved in active monitoring and response, an agent-based program can offer wider functionality and more in-depth reporting on the "quality" of changes to critical files.
The Bottom Line
Is agent-based or agentless file integrity monitoring software the best choice? The answer depends entirely on your company's priorities, risk tolerance, resources, and other key factors. By understanding your ability to implement a file integrity monitoring solution and other business requirements, you can select the option that is the best fit for your compliance and risk mitigation needs.
CimTrak is a best-of-class alternative to other file integrity monitoring software. This agent-based solution offers truly unique functionality, including the ability to fully resolve negative changes to critical files. To see CimTrak in action, schedule a demo, or download our Definitive Guide to File Integrity Monitoring today.
April 19, 2016